Cyber Security – How well is your business protected?

Threat of cyber attack is an increasing risk for businesses of all shapes and sizes.  Cyber criminals, hackers and online scammers  have become extremely sophisticated in their methods.  The consequences of cyber attack on your business could be significant; including data protection breaches, monetary loss, business interruption, reputational damage and potential litigation from affected customers or clients.  While most businesses are aware of such risks,  the majority are not prepared for such an eventuality.  While you may not be able to entirely insulate your business from the threat of attack, being prepared means that you can minimise the potential damage it would cause.

1. IT risk review
   The first step is to carry out a review of your current IT security procedures to asses from an IT point of view where there are weaknesses and from a data point of view what needs to be protected.  Your IT provider will be able to make recommendations and there may be a risk/cost analysis to be carried out in terms of implementing such recommendations.  In carrying out such assessment it would be dangerous to take an ‘it won’t happen to us’ approach.  As the nature of the risks from cyber attack are constantly changing and are becoming more sophisticated, regular reviews should be carried out.
2. Internal Policies
   You should have a policy with regard to IT security that is communicated to all staff dealing with matters such as password protection, use of remote devices, sharing of sensitive data such as customer bank account details and opening of suspected spam mail.  Ensuring that all your team are aware of the risks and take responsibility for implementing a firm security policy will greatly minimise the risk of attack.
3. Insurance
   It is advisable to consult with your insurers to ascertain whether your policies of insurance cover you in the event of a cyber attack.   If not you may want to consider amending current policies or taking out a specific policy for that purpose.
4. Crisis strategy
   Many businesses that have internal security policies in place, have not considered a strategy or policy to apply in the event of a cyber attack. Having considered this in advance will assist with minimising potential risk and loss.  You might consider appointing a designated person to take responsibility for co-ordinating the response to such attack.  The extent of the attack and data loss will need to be assessed and it will have to be considered whether the Gardaí need to be informed.  Matters such as your reporting requirements to the Office of the Data Protection Commissioner and/or other regulatory body, informing banks and insurers as well as customers or clients who may be affected need to be considered.

Where clients are affected, there will certainly be some reputational damage and negative publicity.  While your business will have been the victim of the attack, criticism will often be levied against the victim for not having adequate security in place or for the manner in which they deal with the event.  Therefore, your customer service would need to be briefed on how to respond to queries.

Just as there are many types of cyber attack, there are, of course, many approaches to dealing with an attack and no one approach is correct.  However, being pro-active in planning for such eventuality rather than re-active will undoubtedly minimise the risk of attack and in the event of an attack, minimise the effect of it.

For further information please contact Elaine McGrath at emcgrath@reddycharlton.ie